Tuesday, November 21, 2017

Gibon Ransomware Analysis

Wapack Labs analysts recently observed a handful of Gibon malware samples in the wild and are providing this report in the event the malware becomes more widespread. Gibon is a new ransomware family named due to its USER-AGENT and name in the specimen’s ASCII strings. The malware was originally marketed on May 11 and 12 to several hacker forums for $500. Advertised functionality includes recursive encryption of all files that are on the computer, a README.txt file with instructions to the victim, and encryption/decryption keys which are sent to the admin panel and used for decryption. It is delivered via spam emails with a link to download a Microsoft Word document...READ MORE

Wapack Labs has cataloged and reported on ransomware variants in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

This TLP AMBER report is available only to Red Sky Alliance members.

Reaper IoT Botnet Exploits and Mitigations


The Reaper IoT is a recently discovered Internet of Things (IoT) botnet that is proving to be more sophisticated and aggressive than the infamous 2016 Mirai IoT botnet. Despite the large botnet size reported by Tenable, there are very few IoT Reaper specimens available on Virus Total and other malware sharing sites. This is important to note as the number of specimens is often a reflection of the amount of infections. For example, there are currently thousands of Mirai specimens as opposed to a few dozen IoT Reaper specimens available. To date, no Distributed Denial of Service (DDoS) attacks have been observed with the IoT Reaper botnet. Wapack Labs analysts are providing this document as a summary of mitigations and indicators for Reaper malware and observed exploits. Wapack Labs recommends testing of all signatures before deployment...READ MORE 

Wapack Labs has cataloged and reported on IoT and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  

This TLP AMBER report is available only to Red Sky Alliance members. 

New Carding Shop with Extensive History


Wapack Labs recently observed a new carding forum. The forum was registered by a Russian proxy registrant and is hosted on a Russian IP address. It was later transferred to several Russian hosts before ending on a Cloudflare IP. The forum began operation on 11 January 2017 and, since, has offered a high volume of credit cards for sale. It is likely the current credit card inventory is a continuation and re-branding of other illegal forums or possesses a large hacking team, as its history is greater than that of the website registration. The owner of the forum has been operating since 23 September 2016 on another forum. Wapack Labs believes this actor likely began this extensive illegal credit card sales history as a verified vendor on another forum previous to the current forum...READ MORE

Wapack Labs has cataloged and reported on carding forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal. 

This TLP AMBER report is available only to Red Sky Alliance members. 

Saturday, November 18, 2017

(Responsible) victim notification?

For three years we've been briefing anyone who'd listen about a wide spread campaign that we identified. The information isn't showing up in the haveibeenpwned site, or many of the other sources. We've talked to everyone from our customers to other information sharing groups, law enforcement, and to national CERTs, briefing it at FIRST technical conferences on two occasions. We've passed on thousands of victim notifications to folks who we thought might help let people know they'd been compromised, but we continue to see victims exploited.

About a month ago we began testing a service called RiskWatch. The idea is, we monitor this campaign and other sources of victim information and if we see a compromised email account, we send out a standardized notification. The notification was built to be polite and informative, yet readable. It starts out with who we are, and links to places that they can verify who we are. It has a 2 minute cartoon explainer video, a few things about what they can do, and if they choose, a link to RiskWatch.  At no charge, the recipient can click through, register, and come into their own session where they see the email addresses, a timeline, and other information.. enough information to be able to get help, or fix things themselves.

At the same time, if they want to come back and view the findings regularly, or receive weekly or monthly notifications, they can purchase a subscription starting at $9 per month. This is in no way required, but it's available.


Early last year, in an attempt to notify, we sent over 200,000 notifications to the abuse email addresses listed in domain registrations. We used a text-based format similar to that used by Carnegie Mellon/CERT-CC back in the early days of victim notification. We received mixed feedback. Some were appreciative of the notification, others, well, not so much. Today however, many use registration privacy proxies. So… we sent what we thought was a polite email, with that explainer video, short instructions, and a link. We tried this for about a month, retiring the email as part of A | B testing with a new format currently in the works.

We struggled with the idea of email. As security folks, we teach people not to click. We've tried direct personalized notifications, we've talked with scores of folks that we thought might be of assistance in getting the word out; yet, the problem grows exponentially.

We've seen a few clean-ups as a result of the notifications —even without having them come to our site, but the others? They continue to be exploited.

So here's the question? If we know about all of these victims, many with exposed passwords, others hitting sinkholes, most having no idea what to do about it, why not let them know? If their social security numbers are lost, and their privacy information were on the web, are they notified? Yes.

Is email the best way? No. We knew that going in.  This is a hard question. We're not sure what the right answer is. We're not a big company. We share information and we try our best to always do the right thing, but in this case, there are SO many victims.

We're open to suggestions. How do we get the word out without looking like spammers? If there are others with thoughts on how this might be accomplished, We'd love to hear it.

For those of you who've received the notifications and thought it was spam? We apologize. That however, does not make the notification any less real. We might have done it better (and we will in the future) but we would urge you to take it seriously.

Friday, November 17, 2017

Wapack Labs Keylogger Blacklist


Compromised Email Accounts 
Reporting Period: Nov 7-12, 2017

Between Nov 7-12, 2017 Wapack Labs identified the following 366 unique email accounts to be compromised with keyloggers, and used to log into multiple types of organizations, including not only email access, but also financial, social media and others. Passwords have been redacted to protect the users.

Action recommendation
: Users should immediately place each of these email accounts in a block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

Wapack Labs Sinkhole Blacklist

Reporting Period: Nov 12, 2017

Wapack Labs identified connections from the following 256 unique IP addresses checking in with one of the many Wapack Labs sinkholes.

Action recommendation: Users should immediately place each of these email accounts in a monitor or block status in intrusion prevention systems.

This TLP AMBER report is available only to Red Sky Alliance members. 

New Underground Market

Wapack Labs recently observed a new underground market that trades a variety of illegal goods including credit cards, fullz, exploits, botnet builders/installs, and other cyber crime related goods. The forum’s structure and listings resemble another well-known market and may be owned by the same individuals. One seller in the market is selling GozNym 2.0 botnet installs. This seller is selling this botnet on other Tor-based black markets and is operating under same alias. The fraud sections of the market are extremely active. Despite being heavily dominated by drugs and other illegal non-cyber sales, these cyber fraud-based sellers appear highly rated. Wapack Labs has discovered that most high-rated sellers primarily deal with stolen discount gift cards obtained through carding, or with stolen electronic goods, such as like-new Apple and Samsung products. Additionally, this level of fraud sellers are often observed making bulk sales of bank accounts and credit cards...READ MORE

Wapack Labs has cataloged and reported on underground Tor markets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Wednesday, November 15, 2017

Malicious URLs Used in Phishing Attempt

On 07 November, 2017 Wapack Labs observed, using Cyber Threat Analysis Center (CTAC), various emails in the URL of two phishing domains. The two phishing domains had different URLs but utilized the same web page interface. One domain is a compromised domain with an anti-virus detection ratio of 10/64 that has been leveraged since 12 June 2017. It is not flagged as suspicious as by Google Chrome browser. The second domain has an anti-virus detection ratio of 11/65 and has been leveraged since 02 October 2017. This domain was flagged as suspicious by Google Chrome browser. Both domains are still active. The phishing attempt appears to be a simple credential stealing scheme. The phishing page is disguised as Microsoft One Drive, attempting to get users to enter their passwords. Wapack Labs is providing this warning report as situational awareness...READ MORE

Wapack Labs has cataloged and reported on malicious URLs and phishing attempts in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, November 13, 2017

B.I.T.S Loader Attracting Cybercriminals


The Background Intelligent Transfer Service (BITS) is a legitimate Microsoft program used for creating and monitoring jobs over the network. Since it is a Windows legacy program it isn’t widely detected by AV solutions, making it attractive to cybercriminals for malware delivery and persistence. Recent emails targeting the Financial sector utilize BITS functionality by embedding it in heavily obfuscated Word documents, and with the use of LNK files. Monitoring BITS jobs in work environments is important to identify unwanted or unauthorized downloads and uploads. In the past, BITS was used to deliver banking trojans like DarkComet and GlobeImposter ransomware, and it is assessed with high confidence that it will continue to be utilized for both malware delivery and persistence, particularly against Windows based systems that would otherwise be considered highly locked down or security hardened. This report focuses on these two recent implementations of BITS, and looks at other ways BITS is leveraged in the wild...READ MORE

Wapack Labs has cataloged and reported on malware targeting the financial sector in the past. An archive of related reporting can be found in the Red Sky Alliance portal.  


This TLP AMBER report is available only to Red Sky Alliance members.

Tuesday, November 7, 2017

Possible Emerging Threat – Elastic Stack Targeting

On 5 November 2017, Wapack Labs identified potential targeting of the Elastic Stack (FKA ELK), for potential ransomware or extortion. While only two data points exist, this could suggest the beginning of a trend of attacks against Elastic instances. What is Elastic? The Elastic Stack, previously known as ELK, is an open source alternative to commercial aggregation and analysis tools like Splunk. With over 500,000 new downloads per month and 100M to date, Elastic is one of the largest distributions of analysis and visualization tools for high end analytics. Elastic is a plentiful target...READ MORE

Wapack Labs has cataloged and reported on potential targeting of analysis tools in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Friday, November 3, 2017

New Carding Shop

Wapack Labs observed a threat actor advertising a new carding shop on a hacking/carding forum. This threat actor first advertised the carding services on 21 July, 2017 and has been an active member on the forum, frequently advertising updates to their carding website. Currently the shop has over 500,000 stolen credit cards for sale from over 100+ banks. The shop updates its database with fresh cards on a bi-weekly basis. To access the shop, users must create a free account and enter a username, password, Jabber, and ICQ number (users can enter fake credentials). Once the account is created, users can freely browse the website. Web sections include news, cards, rules, orders, billing, checker, and support. The cards section identifies stolen credit cards. Credit cards are sorted by database, bank name, type, card issuer, country, state, city, city, or BIN. Full card information is provided before purchasing a card. Prices of the cards ranged from $1 to $40 USD. The checker section allows users to enter credit card information to see if the card is still valid. The shop charges 30 cents per check and has a refund policy of 5 minutes after purchase, if the card is invalid...READ MORE

Wapack Labs has cataloged and reported on carding shops and fraud in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Russian ISP Doing Business with North Korea

On 01 Oct 2017, TransTeleCom, a Russian owned telecommunications company began routing North Korean Internet. TransTeleCom owns one of the largest fiber optic cable based networks in the world. It is a fully owned subsidiary of Russian Railways, a joint-stock company with 100 percent involvement under the Russian Ministry of Transport. North Korea’s external Internet connections were historically serviced by China Unicom, but will now be provided by both China Unicom and Russia’s TransTeleCom. IPv4 traffic route allocation is 60 percent through TransTeleCom and 40 percent through China Unicom. Unicom will continue providing 100 percent IPv6 routing for North Korea. The contract between TransTeleCom and North Korea was originally signed in 2009. The recent Russian telecommunications escalation seems to be in support of North Korea after U.S. Cyber Command Distributed-Denial-of-Service (DDoS) attacks. Having routes in both China and Russia limits North Korea’s dependence on any one country as they are currently facing intense geopolitical pressures. North Korea’s shift from being predominantly Chinese hosted, to Russian support, is primarily due to U.S. political pressure on China to sever ties with North Korea over the recent nuclear missile tests and China’s failure to protect North Korea from the recent U.S. DDoS attacks. TransTeleCom operates similarly to China Unicom, the current North Korean Internet Service Provider (ISP), which has fiber optics laid along China’s Sino-Korean Friendship Bridge. However, TransTelecom is believed to be delivering North Korea’s Internet over the Korea-Russia Friendship Bridge, the only crossable border between North Korea and Russia. Wapack Labs will continue to monitor malicious cyber activities out of North Korean netblocks....READ MORE

Wapack Labs has cataloged and reported on North Korean cyber activity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Monday, October 30, 2017

Friday Afternoon CTAC Attack!

How many times have you walked into the office, only to find your boss looking for answers to the threat of the day —you know what I mean. I saw this on the news this morning. What's it mean? or Hey boss, we just got hit with this … and now you have to explain it (and fast!).

If you've ever been in one of these situations read on...

Every Friday afternoon at 2:00, we hold a short form training session called CTAC Attack! CTAC is short for Cyber Threat Analysis Center, and its desktop of tools that we provide to our subscribers for their own analytics. CTAC Attack! goes like this…

The idea is that in 20 minutes or less, a presenter will show a group of analysts -virtually via webinar, how they use a specific tool, or in combination, tools, to solve analytic problems.  20 minutes is usually more than enough time to show the tool, describe how the analysts uses it to solve a problem, and then leave 10 minutes for Q&A. Presenters earn CTAC Attack T-Shirts, and attendees are entered into a drawing to win one.

Enjoy the video. Interested in seeing more? Drop me an note.

Until next time,
Have a great weekend!

Friday, October 27, 2017

Dark Web Site Selling ATM Malware

Wapack Labs observed ATM malware being sold on a dark web site. The malware targets all models of Wincore Nixdorf ATMs. The website explains that the Wincore 200xe ATMs are the easiest cash machines to exploit. The malware currently costs $1500.00 in Bitcoin for the first month (beginning 15 October 2017). After the first month, the ‘registration’ fee will be doubled. $1500.00 buys the buyer one credit, which is valid for a one time use on one ATM. To execute the attack users must log-in to their account on the website and receive a code (for one credit). The malware will then show the attacker the amount of cash in each money cassette that resides inside the ATM. The malware will then bypass the normal ATM system processes and the ATM will dispense all the bills in a desired cassette. The website also provides video links on their Tor site, demonstrating the method to fraudulently withdraw money, along with a free 10-page step-by-step Word document which explains how to use the malware. This guide describes in detail the tools required, software instructions, and details referencing different types of ATMs. This includes how the ATMs operate and how to find the interior USB ports...READ MORE

Wapack Labs has cataloged and reported on ATM malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Thursday, October 26, 2017

In Search of Router Scanner Used in Cyber Campaign


Wapack Labs has attempted to identify the router scanner used in a cyber campaign conducted by a threat actor group who is believed to be a Chinese hacker group targeting Taiwan and Japan. All of the reports on this group on the Chinese Internet are translations of the June 2017 report by Trend Micro that identified the group. No independent analysis of the group was found, and no references to the name were found that predate the Trend Micro reporting. Searches on the Chinese term for “router vulnerability scanner” all returned the same tool called RouterhunterBR, that was written by a Brazilian security researcher named Jhonathan Davi who lives in Brasilia. Further investigation could confirm this threat actor group's use of this tool by checking whether the targeted routers contained any of the vulnerabilities listed by the tool’s author. The identification of RouterhunterBR as possibly used in this cyber campaign is circumstantial. Further investigation could help confirm the connection if targeted routers were checked for the vulnerabilities that the author stated were searched for by the tool...READ MORE

Wapack Labs has cataloged and reported on Chinese hacking groups in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

This TLP AMBER report is available only to Red Sky Alliance members.